A self-proclaimed security expert came to Slack one day to complain about plugin security.
The summary of Kareen’s complaint (not her real name) was she firmly believes that WordPress and WordPress.org are responsible for preventing brute force attacks on users.
Now, I’ve said this a lot. Brute force attacks are best protected a layer above your website, with a firewall. Preferably the firewall is something the host does. But Kareen also claimed she had proof about issues with specific plugins, hence my involvement.
She came to Slack because she’d posted in the forums about security issues and was asked to please come to Slack and talk instead. That’s the norm. Like a great number of people, she took umbrage at that and ranted about the FBI and Dark Ops and Mitinick (remember him!?) and … well. Yeah.
Why NOT In Forums?
Why don’t we want people to talk about security in the forums?
The answer is simple: They’re public.
If you post about a security issue, in public, instead of privately contacting the people involved, you are increasing the risk. Hackers (or rather, kiddie scripters) scan the WordPress.org forums for evidence of security issues and use that to blast everyone and try to hack sites for lulz. And they will get on the hacks before the plugin (or whatever) devs can get a fix out.
So, to be responsible and reasonable, you privately contact the developers, give them some reasonable time to fix things, and everyone wins.
There are some notable shitheads who refuse to do that. As my buddy Jan says, “We’ll keep shooting the employees until moral improves.”
The Right Place and Time
I redirected Kareen to where to report security issues for Core and Plugins. I foolishly assumed that would be enough.
Kareen emailed Plugins with a couple word docs, one of which was a complaint about the forum moderators (which was ignored) and the other was about how brute force attacks happened on websites, and people were hunting for plugins she didn’t even have on her site.
I call that ‘Tuesday.’
My sites are hit like that every day of the year. They look for plugins and themes I don’t use. It’s a carpet bomb in the hopes of finding someone vulnerable.
But still, I try to always give people the benefit of the doubt, so I read her other document in full and found her ‘proof’ of hacking.
123.456.78.90 - - [DAY/MON/YEAR:00:46:22 -0500] "GET /wp-content/plugins/easy-wp-smtp/ HTTP/1.1" 404 118611 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"And how is that proof? She said it was because she didn’t have easy-wp-smtp installed.
The reality? That proves nothing. Script Kiddies regularly attempt attacks on your site without checking if you have a plugin (or theme) first, because it’s easier to just try the attack. If it works, they’re in! If it doesn’t, they move on. If they checked first, our myriad tools would spot them sooner, which they don’t want.
Now, some of those calls were interesting and were doing GET /index.php?token=5db0b95680eb8fd776410fe5a37135a5 which made me curious. They were aiming for specific tokens, but there are thousands of plugins that use that param.
Oh and I liked this one too:
[DAY MON 01 17:29:07.773011 2020][client 123.456.78.90:65409] [client 123.456.78.90] Access denied with code 403 [hostname "www.[redacted].com"] [uri "/register/{{=+data.profileurl+}}"] [unique_id "X@Znsw5Azi2b-mCnSbIgDAAAAAc"], referer: https://www.[redacted].com/register/%7B%7B=+data.profileurl+%7D%7DAgain, we’re clearly seeing a blanket attack on plugins and themes the site didn’t have.
The Calls Are Coming From Inside The House
I scrubbed the IPs in this post, but I did go and check the real ones. They were all Digital Ocean and Amazon Cloud stuff. Those services are regularly used by assholes who build scripts and use the services to hunt down sites with vulnerable code.
Sucks, but it’s normal.
Kareen didn’t like that but she also didn’t belabor the point and left us alone after we explained it wasn’t something Plugins could help with because she couldn’t give us the name of a single plugin except easy-wp-smtp, which had actually fixed a vulnerability a couple months prior.
Kareen went on to rage about how she was going to talk to the FBI (again) and made a couple legal claims. A number of people tried to calm her down, but in the end we told her that her account was suspended because we really really couldn’t help her, and she was screaming into the void.
There really is a limit before you have to cut people off. It’s a waste of time.
And Then …
Later on, though, she filed a complaint:
My account was suspended without proper or professional communication,
and while defaming me as “trashing a plugin,” AFTER the network of the
same location as the hosted plugin was running brute force login
attacks 24/7 on my network.
Wanna guess that network? Digital Ocean.
Yeah. That’s like saying “Someone in NYC peed on my leg, therefore ALL PEOPLE FROM NYC ARE LEG PEE-ERS!”
What someone does on their own hosting is, in no way, WordPress.org’s fault. If the code to brute force was found in a plugin hosted on .org, then yeah, we can do something, but it won’t stop the attacks.
Needless to say, we didn’t reply. There was no point.
